The importance of a strong patch management strategy has been highlighted by a new report which shows that the majority of vulnerabilities used by ransomware actors have been known about for years.
The report, ‘2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management’, highlights that more than 76 percent of vulnerabilities still being exploited by ransomware were discovered between 2010 and 2019.
The report also identified 56 new vulnerabilities associated with ransomware threats among a total of 344 threats identified in 2022 marking a 19 percent increase year-over-year.
Other top findings from the Cyber Security Works (CSW), Ivanti, Cyware, and Securin report include:
- Scanners are not detecting all threats: popular scanners do not detect 20 vulnerabilities associated with ransomware.
- More APT groups are launching ransomware attacks: CSW observed more than 50 advanced persistent threat (APT) groups deploying ransomware to launch attacks - a 51 percent increase from 33 in 2020.
- Many vulnerabilities have not yet been added to CISA’s KEV list: While the CISA Known Exploited Vulnerabilities (KEVs) catalog contains 8661 vulnerabilities, 131 of the vulnerabilities associated with ransomware are yet to be added.
- Multiple software products are affected by open-source issues: reusing open-source code in software products replicates vulnerabilities.
- Common Vulnerability Scoring System (CVSS) scores may mask risks: the study found 57 ransomware-associated vulnerabilities with low and medium-sized scores that are associated with infamous ransomware families and can wreak havoc on an organization and disrupt business continuity.
“Our survey findings indicate that knowledge has not translated to power for many organizations,” said Aaron Sandeen, CEO and Co-founder of CSW and Securin. “IT and security teams are being tripped up by open-source, old, and low-scoring vulnerabilities associated with ransomware. IT and security teams will want to scrutinize both in-house and vendor software to identify and remediate vulnerabilities before deploying new solutions and patch existing software as soon as vulnerabilities are announced.”